diff options
author | Phil <phil.buschmann@tum.de> | 2017-12-04 15:13:06 +0000 |
---|---|---|
committer | Phil <phil.buschmann@tum.de> | 2017-12-04 15:13:06 +0000 |
commit | 514dd6f53cb735d0e48f35ddf92eae469c0abc8a (patch) | |
tree | d95be0a362c647f72818ece8c00bc5bc499d951f /src/identity-provider/plugin_rest_identity_provider.c | |
parent | 08ea93ee62022a31040e1f1e1b62cf4092c2331b (diff) | |
download | gnunet-514dd6f53cb735d0e48f35ddf92eae469c0abc8a.tar.gz gnunet-514dd6f53cb735d0e48f35ddf92eae469c0abc8a.zip |
-start oidc
Diffstat (limited to 'src/identity-provider/plugin_rest_identity_provider.c')
-rw-r--r-- | src/identity-provider/plugin_rest_identity_provider.c | 171 |
1 files changed, 170 insertions, 1 deletions
diff --git a/src/identity-provider/plugin_rest_identity_provider.c b/src/identity-provider/plugin_rest_identity_provider.c index f6039722f..ff28b592e 100644 --- a/src/identity-provider/plugin_rest_identity_provider.c +++ b/src/identity-provider/plugin_rest_identity_provider.c | |||
@@ -65,6 +65,12 @@ | |||
65 | #define GNUNET_REST_API_NS_IDENTITY_CONSUME "/idp/consume" | 65 | #define GNUNET_REST_API_NS_IDENTITY_CONSUME "/idp/consume" |
66 | 66 | ||
67 | /** | 67 | /** |
68 | * Authorize namespace | ||
69 | */ | ||
70 | #define GNUNET_REST_API_NS_AUTHORIZE "/idp/authorize" | ||
71 | |||
72 | |||
73 | /** | ||
68 | * Attribute key | 74 | * Attribute key |
69 | */ | 75 | */ |
70 | #define GNUNET_REST_JSONAPI_IDENTITY_ATTRIBUTE "attribute" | 76 | #define GNUNET_REST_JSONAPI_IDENTITY_ATTRIBUTE "attribute" |
@@ -307,7 +313,7 @@ do_error (void *cls) | |||
307 | char *json_error; | 313 | char *json_error; |
308 | 314 | ||
309 | GNUNET_asprintf (&json_error, | 315 | GNUNET_asprintf (&json_error, |
310 | "{Error while processing request: %s}", | 316 | "{error : %s}", |
311 | handle->emsg); | 317 | handle->emsg); |
312 | resp = GNUNET_REST_create_response (json_error); | 318 | resp = GNUNET_REST_create_response (json_error); |
313 | handle->proc (handle->proc_cls, resp, handle->response_code); | 319 | handle->proc (handle->proc_cls, resp, handle->response_code); |
@@ -1012,6 +1018,167 @@ options_cont (struct GNUNET_REST_RequestHandle *con_handle, | |||
1012 | } | 1018 | } |
1013 | 1019 | ||
1014 | /** | 1020 | /** |
1021 | * Respond to OPTIONS request | ||
1022 | * | ||
1023 | * @param con_handle the connection handle | ||
1024 | * @param url the url | ||
1025 | * @param cls the RequestHandle | ||
1026 | */ | ||
1027 | static void | ||
1028 | authorize_cont (struct GNUNET_REST_RequestHandle *con_handle, | ||
1029 | const char* url, | ||
1030 | void *cls) | ||
1031 | { | ||
1032 | |||
1033 | //TODO clean up method | ||
1034 | |||
1035 | |||
1036 | // The Authorization Server MUST validate all the OAuth 2.0 parameters according to the OAuth 2.0 specification. | ||
1037 | // The Authorization Server MUST verify that all the REQUIRED parameters are present and their usage conforms to this specification. | ||
1038 | // If the sub (subject) Claim is requested with a specific value for the ID Token, the Authorization Server MUST only send a positive response if the End-User identified by that sub value has an active session with the Authorization Server or has been Authenticated as a result of the request. The Authorization Server MUST NOT reply with an ID Token or Access Token for a different user, even if they have an active session with the Authorization Server. Such a request can be made either using an id_token_hint parameter or by requesting a specific Claim Value as described in Section 5.5.1, if the claims parameter is supported by the implementation. | ||
1039 | |||
1040 | |||
1041 | |||
1042 | struct MHD_Response *resp; | ||
1043 | struct RequestHandle *handle = cls; | ||
1044 | |||
1045 | /* | ||
1046 | * response_type 0 | ||
1047 | * client_id 1 | ||
1048 | * scope 2 | ||
1049 | * redirect_uri 3 | ||
1050 | * state 4 | ||
1051 | * nonce 5 | ||
1052 | * display 6 | ||
1053 | * prompt 7 | ||
1054 | * max_age 8 | ||
1055 | * ui_locales 9 | ||
1056 | * response_mode 10 | ||
1057 | * id_token_hint 11 | ||
1058 | * login_hint 12 | ||
1059 | * acr_values 13 | ||
1060 | */ | ||
1061 | char* array[] = { "response_type", "client_id", "scope", "redirect_uri", | ||
1062 | "state", "nonce", "display", "prompt", "max_age", "ui_locales", | ||
1063 | "response_mode", "id_token_hint","login_hint", "acr_values" }; | ||
1064 | int array_size=14; | ||
1065 | int bool_array[array_size]; | ||
1066 | |||
1067 | struct GNUNET_HashCode cache_key; | ||
1068 | |||
1069 | //iterates over each parameter and store used values in array array[] | ||
1070 | int iterator; | ||
1071 | for( iterator = 0; iterator<array_size; iterator++){ | ||
1072 | GNUNET_CRYPTO_hash (array[iterator], strlen (array[iterator]), &cache_key); | ||
1073 | char* cache=GNUNET_CONTAINER_multihashmap_get(handle->rest_handle->url_param_map, &cache_key); | ||
1074 | bool_array[iterator]=0; | ||
1075 | if(cache!=0){ | ||
1076 | size_t size=strlen(cache)+1; | ||
1077 | array[iterator]=(char*)malloc(size*sizeof(char)); | ||
1078 | strncpy(array[iterator],cache,size); | ||
1079 | bool_array[iterator]=1; | ||
1080 | } | ||
1081 | } | ||
1082 | |||
1083 | //MUST validate all the OAuth 2.0 parameters & that all the REQUIRED parameters are present and their usage conforms to this specification | ||
1084 | |||
1085 | //required values: response_type, client_id, scope, redirect_uri | ||
1086 | if(!bool_array[0] || !bool_array[1] || !bool_array[2] || !bool_array[3]){ | ||
1087 | handle->emsg=GNUNET_strdup("invalid_request"); | ||
1088 | handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR; | ||
1089 | GNUNET_SCHEDULER_add_now (&do_error, handle); | ||
1090 | return; | ||
1091 | } | ||
1092 | //response_type = code | ||
1093 | if(strcmp(array[0],"code")!=0){ | ||
1094 | handle->emsg=GNUNET_strdup("invalid_response_type"); | ||
1095 | handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR; | ||
1096 | GNUNET_SCHEDULER_add_now (&do_error, handle); | ||
1097 | return; | ||
1098 | } | ||
1099 | //scope contains openid | ||
1100 | if(strstr(array[2],"openid")==NULL){ | ||
1101 | handle->emsg=GNUNET_strdup("invalid_scope"); | ||
1102 | handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR; | ||
1103 | GNUNET_SCHEDULER_add_now (&do_error, handle); | ||
1104 | return; | ||
1105 | } | ||
1106 | |||
1107 | //TODO check other values and use them accordingly | ||
1108 | |||
1109 | |||
1110 | char* redirect_url_to_login; | ||
1111 | |||
1112 | // if(){ | ||
1113 | // | ||
1114 | // }else{ | ||
1115 | // | ||
1116 | // } | ||
1117 | if (GNUNET_OK == GNUNET_CONFIGURATION_get_value_string (cfg, | ||
1118 | "identity-rest-plugin", | ||
1119 | "address", | ||
1120 | &redirect_url_to_login)){ | ||
1121 | |||
1122 | char* build_array[] = { "response_type", "client_id", "scope", "redirect_uri", | ||
1123 | "state", "nonce", "display", "prompt", "max_age", "ui_locales", | ||
1124 | "response_mode", "id_token_hint","login_hint", "acr_values" }; | ||
1125 | |||
1126 | size_t redirect_parameter_size= strlen("?"); | ||
1127 | for(iterator=0;iterator<array_size;iterator++){ | ||
1128 | if(bool_array[iterator]){ | ||
1129 | redirect_parameter_size += strlen(array[iterator]); | ||
1130 | redirect_parameter_size += strlen(build_array[iterator]); | ||
1131 | if(iterator==array_size-1) | ||
1132 | { | ||
1133 | redirect_parameter_size += strlen("="); | ||
1134 | }else{ | ||
1135 | redirect_parameter_size += strlen("=&"); | ||
1136 | } | ||
1137 | } | ||
1138 | } | ||
1139 | |||
1140 | char redirect_parameter[redirect_parameter_size+1]; | ||
1141 | redirect_parameter_size = 0; | ||
1142 | redirect_parameter[redirect_parameter_size]='?'; | ||
1143 | for(iterator=0;iterator<array_size;iterator++){ | ||
1144 | if(bool_array[iterator]){ | ||
1145 | //If not last parameter | ||
1146 | if(iterator!=array_size-1) | ||
1147 | { | ||
1148 | char cache[strlen(array[iterator])+strlen(build_array[iterator])+2+1]; | ||
1149 | snprintf(cache,sizeof(cache),"%s=%s&", build_array[iterator], array[iterator]); | ||
1150 | strncat(redirect_parameter, cache, strlen(array[iterator])+strlen(build_array[iterator])+2 ); | ||
1151 | }else{ | ||
1152 | char cache[strlen(array[iterator])+strlen(build_array[iterator])+1+1]; | ||
1153 | snprintf(cache,sizeof(cache),"%s=%s", build_array[iterator], array[iterator]); | ||
1154 | strncat(redirect_parameter, cache, strlen(array[iterator])+strlen(build_array[iterator])+1 ); | ||
1155 | } | ||
1156 | } | ||
1157 | } | ||
1158 | char redirect_component[strlen(redirect_url_to_login)+strlen(redirect_parameter)+1]; | ||
1159 | snprintf(redirect_component, sizeof(redirect_component), "%s%s", redirect_url_to_login, redirect_parameter); | ||
1160 | resp = GNUNET_REST_create_response (""); | ||
1161 | MHD_add_response_header (resp, "Location", redirect_component); | ||
1162 | }else{ | ||
1163 | handle->emsg=GNUNET_strdup("No server on localhost:8000"); | ||
1164 | handle->response_code = MHD_HTTP_INTERNAL_SERVER_ERROR; | ||
1165 | GNUNET_SCHEDULER_add_now (&do_error, handle); | ||
1166 | return; | ||
1167 | // resp = GNUNET_REST_create_response (""); | ||
1168 | // MHD_add_response_header (resp, "Location", array[3]); | ||
1169 | } | ||
1170 | |||
1171 | handle->proc (handle->proc_cls, resp, MHD_HTTP_FOUND); | ||
1172 | cleanup_handle (handle); | ||
1173 | for(iterator=0; iterator<array_size; iterator++){ | ||
1174 | if(bool_array[iterator]){ | ||
1175 | free(array[iterator]); | ||
1176 | } | ||
1177 | } | ||
1178 | return; | ||
1179 | } | ||
1180 | |||
1181 | /** | ||
1015 | * Handle rest request | 1182 | * Handle rest request |
1016 | * | 1183 | * |
1017 | * @param handle the request handle | 1184 | * @param handle the request handle |
@@ -1024,6 +1191,8 @@ init_cont (struct RequestHandle *handle) | |||
1024 | {MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_IDENTITY_ATTRIBUTES, &list_attribute_cont}, | 1191 | {MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_IDENTITY_ATTRIBUTES, &list_attribute_cont}, |
1025 | {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_IDENTITY_ATTRIBUTES, &add_attribute_cont}, | 1192 | {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_IDENTITY_ATTRIBUTES, &add_attribute_cont}, |
1026 | {MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_IDENTITY_TICKETS, &list_tickets_cont}, | 1193 | {MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_IDENTITY_TICKETS, &list_tickets_cont}, |
1194 | {MHD_HTTP_METHOD_GET, GNUNET_REST_API_NS_AUTHORIZE, &authorize_cont}, | ||
1195 | {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_AUTHORIZE, &authorize_cont}, | ||
1027 | {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_IDENTITY_REVOKE, &revoke_ticket_cont}, | 1196 | {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_IDENTITY_REVOKE, &revoke_ticket_cont}, |
1028 | {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_IDENTITY_CONSUME, &consume_ticket_cont}, | 1197 | {MHD_HTTP_METHOD_POST, GNUNET_REST_API_NS_IDENTITY_CONSUME, &consume_ticket_cont}, |
1029 | {MHD_HTTP_METHOD_OPTIONS, GNUNET_REST_API_NS_IDENTITY_PROVIDER, | 1198 | {MHD_HTTP_METHOD_OPTIONS, GNUNET_REST_API_NS_IDENTITY_PROVIDER, |